CVE-2026-40765 collectchat CVE debrief

Who should care

Administrators and users of the collectchat plugin versions up to 2.4.9 should be aware of this vulnerability and take necessary actions to secure their installations. Web application security teams and developers using this plugin should prioritize patching or mitigating this vulnerability.

Technical summary

CVE-2026-40765 is an Unauthenticated Cross Site Scripting (XSS) vulnerability in the collectchat plugin. The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. It was reported by [email protected] and is associated with CWE-79. The vulnerability affects collectchat plugin versions up to 2.4.9.

Defensive priority

High

Recommended defensive actions

• Update the collectchat plugin to the latest version.
• Implement web application firewall (WAF) rules to detect and prevent XSS attacks.
• Use input validation and output encoding to prevent script injection.
• Monitor the application for suspicious activity.
• Restrict access to the collectchat plugin to authorized users only.
• Consider using a security plugin or service to detect and mitigate vulnerabilities.

Evidence notes

The vulnerability was reported by Patchstack and is documented in the CVE record and NVD detail. The CVSS score and vector provide a measure of the vulnerability's severity.

Official resources